v1.2.8: real-IP-leak fix + youtube_via_relay + scan_sni hardening

Rollup of four merged fixes since v1.2.7:

- security: strip identity-revealing forwarding headers in the Apps
  Script relay path. Closes the XFF leak vector from issue #104 —
  users chained behind xray/v2rayNG or running browser extensions
  that inject X-Forwarded-For / Forwarded / Via / CF-Connecting-IP
  etc. would previously have those forwarded to the origin via the
  relay. Now stripped to 16 header variants with a regression test.

- proxy: new `youtube_via_relay` config toggle (#102). Routes
  YouTube family suffixes through Apps Script instead of the
  SNI-rewrite tunnel. Trades SafeSearch-on-SNI for Apps Script's
  fixed User-Agent + quota cost. Off by default.

- scan_sni: decode chunked dns.google DoH responses (#97, from
  @freeinternet865). Without this, PTR lookups always failed and
  scan-sni discovered zero domains.

- scan_sni: verify dns.google TLS with webpki roots (#98, from
  @freeinternet865). The DoH request is a normal public HTTPS call
  — an on-path MITM should not be able to forge PTR answers and
  poison the suggested SNI pool.

73 tests pass (up from 67 — three new chunked-decode tests + one
XFF-filter + two youtube_via_relay branches).

Cargo.lock

@@ -2186,7 +2186,7 @@ dependencies = [
 
 [[package]]
 name = "mhrv-rs"
-version = "1.2.7"
+version = "1.2.8"
 dependencies = [
  "base64 0.22.1",
  "bytes",